Proposed security standards for online payments in EU leave a lot to be desired of

PRESS STATEMENT - 27.11.2017

The European Commission today proposed new security standards for online payments in a bid to cut the growing level of fraud that consumers are experiencing [1]. The European Consumer Organisation regrets that the standards proposed are weak and include too many derogations. 


Today’s standards complement general principles in online payments already laid out in 2015 [2]. The principles were that to execute a payment, a consumer needs to provide two of the three following criteria: something he has (for example the card) something he knows (for example a PIN code) and something about himself (for example a finger print).

Today’s standards set out when exemptions to these principles can apply. The exemptions are set at thresholds that are several times higher for cards than for credit transfers [3].

Monique Goyens, Director General of the European Consumer Organisation (BEUC) said: “These security standards are like a Swiss cheese. They might look good from the outside, but on the inside, there are lots of holes. For example, all transactions below €30 won’t need to meet these security standards. That means a lot of our daily transactions are left less secure.”

The Commission’s proposal also provides rules about the way banks and third-party payment services need to communicate to execute payments. BEUC is against screen scraping, which is where third-party providers have access to the consumer’s online banking interface and all types of account information. BEUC favours the creation of a separate and uniform interface which works between all banks and payment providers, where third party providers have access only to relevant account information needed to execute a payment.

Monique Goyens added:

“Data protection and the fear of cybersecurity attacks are the main concern for consumers.  That’s why BEUC is totally opposed to offering more data to payment service providers than is strictly necessary.”


[1] The value of all fraudulent transactions using cards online amounted to €1.44 billion in 2013, which of 8% from 2012. In 2015, in the EU related to internet payments.

[2] These principles are set out in the Payment Services Directive 2 which was adopted as EU law in 2015.

[3] A credit transfer is the process of moving money from one bank account to another electronically.